From 48543a85e5a0ecc7c4160a397461c10ce057a32f Mon Sep 17 00:00:00 2001 From: Edgar Magana Date: Thu, 20 Mar 2014 15:54:49 -0700 Subject: [PATCH] Adds a section about SSL configuration for Neutron API In this commit a new sub-section is added to explain the varaibles needed to enable SSL in Neutron API. Closes-Bug: #1106428 Change-Id: If4fd24d58c8187ea4260f753a44ff48ca1b83172 --- .../section_networking_introduction.xml | 146 +++++++++++------- 1 file changed, 93 insertions(+), 53 deletions(-) diff --git a/doc/admin-guide-cloud/networking/section_networking_introduction.xml b/doc/admin-guide-cloud/networking/section_networking_introduction.xml index fa2f37ae3e..fbb8035968 100644 --- a/doc/admin-guide-cloud/networking/section_networking_introduction.xml +++ b/doc/admin-guide-cloud/networking/section_networking_introduction.xml @@ -86,16 +86,76 @@ +
+ Configure SSL support for networking API + OpenStack Networking supports SSL for the Networking API + server. By default, SSL is disabled but you can enable it in + the neutron.conf file. + Set these options to configure SSL: + + + use_ssl = True + + Enables SSL on the networking API server. + + + + ssl_cert_file = /path/to/certfile + + Certificate file that is used when you + securely start the Networking API server. + + + + ssl_key_file = /path/to/keyfile + + Private key file that is used when you + securely start the Networking API server. + + + + ssl_ca_file = /path/to/cafile + + Optional. CA certificate file that is used + when you securely start the Networking API server. + This file verifies connecting clients. + Set this option when API clients must + authenticate to the API server by using SSL + certificates that are signed by a trusted + CA. + + + + tcp_keepidle = 600 + + The value of TCP_KEEPIDLE, in seconds, for + each server socket when starting the API + server. Not supported on OS X. + + + + retry_until_window = 30 + + Number of seconds to keep retrying to listen. + + + + backlog = 4096 + + Number of backlog requests with with to + configure the socket. + + + +
Load Balancing-as-a-Service (LBaaS) overview - - Load Balancing-as-a-Service (LBaaS) enables + Load Balancing-as-a-Service (LBaaS) enables Networking to distribute incoming requests evenly between designated instances. This ensures the workload is shared predictably among instances, and allows more effective use of system resources. Incoming requests are distributed using one of these load balancing methods: - Round robin @@ -134,8 +194,7 @@ - Monitors - + Monitors LBaaS provides availability monitoring with the ping, TCP, HTTP and HTTPS GET methods. Monitors are implemented to determine whether pool members are available to handle - requests. - + requests. Management - LBaaS is managed using a variety of toolsets. The + LBaaS is managed using a variety of tool sets. The REST API is available for programmatic administration and scripting. Users perform administrative management of load balancers through @@ -169,12 +227,10 @@ ensuring incoming requests are routed to the same instance within a pool of multiple instances. LBaaS supports routing decisions - based on cookies and source IP address. - + based on cookies and source IP address. -
Plug-in architecture @@ -204,16 +260,14 @@ (Floodlight REST Proxy) This guide and http://www.openflowhub.org/display/floodlightcontroller/Neutron+REST+Proxy+Plugin - + >http://www.openflowhub.org/display/floodlightcontroller/Neutron+REST+Proxy+Plugin Brocade Plug-in This guide and https://wiki.openstack.org/wiki/Brocade-neutron-plugin - + >https://wiki.openstack.org/wiki/Brocade-neutron-plugin Cisco @@ -1351,49 +1405,39 @@ interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver - - - Install the agent by running: - + + + Install the agent: # apt-get install neutron-lbaas-agent - - - + + Enable the HAProxy plug-in using the parameter in the /etc/neutron/neutron.conf file: - -service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default - - + service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default + + Enable the load balancer plugin using in the /etc/neutron/neutron.conf file: - -service_plugins = neutron.services.loadbalancer.plugin.LoadBalancerPlugin - - + service_plugins = neutron.services.loadbalancer.plugin.LoadBalancerPlugin + + Enable the HAProxy load balancer in the /etc/neutron/lbaas_agent.ini file: - -device_driver = neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver - - + device_driver = neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver + + Select the required driver in the /etc/neutron/lbaas_agent.ini file: Enable the Open vSwitch LBaaS driver: - - -interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver - Or enable the Linux Bridge LBaaS driver: - - - -interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver - Apply the new settings by restarting the + interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver + Or enable the Linux Bridge LBaaS driver: + interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + Apply the new settings by restarting the neutron-server and neutron-lbaas-agent - services. + services. Upgrade from Havana to Icehouse There were changes in LBaaS server-agent communications in Icehouse so during @@ -1401,25 +1445,21 @@ interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver - - + + Enable Load Balancing in the Project section of the Dashboard user interface: Change the option to True in the /etc/openstack-dashboard/local_settings file: - - -OPENSTACK_NEUTRON_NETWORK = { -'enable_lb': True, - + OPENSTACK_NEUTRON_NETWORK = {'enable_lb': True, Apply the new settings by restarting the httpd service. You can now view the Load Balancer management options in dashboard's Project view. - - + +
Configure FWaaS agent